Minutes IETF97: ace
minutes-97-ace-01

ACE WG Meeting
IETF 97 - Seoul
Thursday, 17 Nov, 2016, 15:20 - 17:50
Chairs: Kepeng Li, Hannes Tschofenig
Acting chairs: Barry Leiba, Nancy Cam-Winget
Minutes taker: Brian Rosen

* Agenda Bashing
Carsten: "Bar BOF" two interesting drafts, possibly for ACE.

* Actors (Carsten Bormann)
- http://datatracker.ietf.org/doc/draft-ietf-ace-actors/
Rob Wilton's comments partially addressed, remainer will come under Christmas
Tree

* CBOR Web Token (Michael B. Jones)
- https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/
Issues being tracked in github
Better examples will be coming, volunteers are needed to validate them.
Carsten will help.

* Authorization using OAuth 2.0 (Ludwig Seitz)
- https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/
Removed references to OAuth Proof of Possession drafts, added ACE-PoP specs in
this framework draft and for each transport protocol (currently OSCOAP and
DTLS). Profile normative text scattered and currently all in Appendix C, should
they be in the normative part?

Simplified Token Request Protocol, removed negotiation, AS knows RS
capabilities based on registration info.

Implementations are underway at SICS and SEI/CMU.

Tony: Since you hacked stuff off of OAUTH, did you fix the problems we know
about. Ludwig: Hannes did it, we need to check. Carsten: Problems caused by
redirect being worked in core.

* Ephemeral Diffie-Hellman Over COSE (John Mattsson)
- https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe/
Changed to Sigma for better security and align with IKEv2 and TLS 1.3
Two implementations underway: SICS and Jim Schaad.
Mike: I can't evaluate what is being done and why.  Shouldn't CFRG do this?
Jim: This is not a D-H exchange, this is a key exchange protocol using D-H.
Mike: I will suspend disbelief.
Jim: Symmetric Sigma, asymmetric Sigma-I, why shouldn't we use Sigma-I in both?
John: Yes, probably what we should do. Will update accordingly.
Ludwig: D-H for contrained environments, that's why it's here.

* OSCOAP profile of ACE  (Francesca Palombini)
- https://datatracker.ietf.org/doc/draft-seitz-ace-oscoap-profile/
Updated for OSCOAP and EDHOC
<explanation of how it works>
Carsten: Does resource server knows that this is EDHOC message ? Media type?
Francesca: Yes, we will consider this and add it to the profile.
Ludwig: Framework should talk about refresh token, an issue in github is
created for the framework Carsten: Should I implememt now? Francesca: maybe
wait a little bit, but will do soon. Will keep you updated on the mailing list.

* DTLS Profile for ACE (Carsten Bormann)
- https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/
Ludwig: We have seen two profiles: assumptions made that client and RS have
pre-established relationships with AS.  Should there be a constrained
environment profile of the registration profile? Justin: should investigate,
also the discovery process I agree with registration is definitely problem in
dynamic environment. ?? : Management also an issue with dynamic registration I
don't know how many people implement registration things.

* Lightweight Authenticated Time (LATe) Synchronization Protocol (Renzo Navas,
Remote) -
https://datatracker.ietf.org/doc/draft-navas-ace-secure-time-synchronization/
Renzo asks: Do we need a lightweight time synchronization mechanism? ??: this
entity is garanteed by this solution? Carsten: we assume RS has associatiion
with AS, so this could be work very well. Matthias: Not having time
synchronization for constrained environments is a larger issue. There was a lot
of work in Wireless Sensor Networks, it is often required for applications, but
none of the research results was standardized. ??:If you have multiple RS, each
needs a pre-established relationship with AS? Renzo: yes

* EST over COAP, Peter van der Stok
- https://datatracker.ietf.org/doc/draft-vanderstok-core-coap-est/
EST=Enrollment of Secure Transport
Peter asks: is there interest?
Brian: both drafts are interesting, and should be done here
Chairs:6tsch group looking at it, design team working on aligning to BRSKI, do
convergence to constrained network once Carsten: new response code must be done
in CORE, rest is security, and should be done in ACE Jim: Have to learn more
about BRSKI.  If we are doing enrollment protocols, EST is the way, and do it
over COAP.  Do full, then see Chairs: you mean doing this in this working group
? or in General? Jim: do it here (6tsch conflicts with my other groups) Brian:
want to see work go, could be here or 6tsch Kathleen (AD): Decide if we adopt
first, then we'll work out conflicts. Chairs: Is there interest in picking this
up? Humm: Accept (strong) Chairs: get discussion going on mailing list Goran:
Lots of work, lots of drafts not yet adopted, should we adopt some of those
drafts? Chairs: we don't adopt draft, we just discuss.

TUDA: Time Based unidirectional attestation, Carsten Bormann

Chairs: Mike St Johns raised issues, about symmetric keys being a vulnerability
that could be used to repurpose devices to mount attacks, even if the normal
use case for those devices doesn't need high security.